The Digital Operational Resilience Act (DORA) applies to certain financial entities from today – 17th January 2025.
DORA aims to ensure that financial entities operating in the EU financial services industry can withstand, respond to and recover from all types of information and communication technology (ICT)-related disruptions and threats.
Starting today, national competent authorities (NCAs) such as the Central Bank of Ireland (CBI) will initiate their supervision of DORA. This includes conducting reviews to assess compliance along with gathering and verifying information requested by the European Supervisory Authorities (ESAs).
Following on from today's application date, the next significant deadline for firms is the submission of their register of information to their NCA who must submit this to the ESAs on 30 April 2025. Consequently, firms should be preparing their register of information ready for sharing in April. In its Industry Briefing on 6 November 2024, the CBI stated that it would seek to collect registers on the first week of April 2025.
Firms are also required to report major ICT-related incidents within specified timeframes on the determination of classifying an incident as major, and this was flagged as a key item for today's application date by the CBI.
Lastly, a number of firms will be designated by their NCA to conduct threat-led penetration testing. This designation will be communicated to the firms by their respective NCA. These firms must comply with additional advanced testing of their digital operational resilience.
In advance of the 17 January implementation date we have been assisting firms in reviewing their governance, ICT risk management, contractual and other arrangements for DORA readiness. Please reach out if you would like to discuss any of the above with our team.
